Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12972

SAML2 Auth Module fails with empty SAML2 Advice assertion.

    Details

    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When using SAML2 Integrated module and the Assertion having a SAML2 Advice elament
      it is possible that the following happen:

      Exception 
      javax.security.auth.login.LoginException: java.lang.StringIndexOutOfBoundsExcept
      ion: String index out of range: -1
              at java.lang.AbstractStringBuilder.deleteCharAt(AbstractStringBuilder.ja
      va:824)
              at java.lang.StringBuilder.deleteCharAt(StringBuilder.java:253)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.linkAttribute
      Values(SAML2.java:678)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.setSessionAtt
      ributes(SAML2.java:515)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.success(SAML2
      .java:500)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.handleReturnF
      romRedirect(SAML2.java:347)
              at org.forgerock.openam.authentication.modules.saml2.SAML2.process(SAML2
      .java:177)
      

      How to reproduce the issue

      1. Create IDP and the IDP Response contains a Advice on the empty Assertion (can use IDP DefaultAdapter preSign to inject this)
      2. Setup SAML2 on the SP machine & authenticate to this SP.
      3. When this link Attributes the error happens and authentication fails.

      Can install this on the IDP with that create an Advice on the Assertion resppnse by adding a IDPAdapter. Then use the SP SAML2 Auth module to this IDP. A Sample IDPAdapter is provided in the attachment

      Expected behaviour
      No error
      
      Current behaviour
      Failure with exceptions in Authentication logs
      

      Work around

      Code analysis

      SAML2.java
              if (assertion.getAdvice() != null) {
                  List<String> creds = assertion.getAdvice().getAdditionalInfo();
                  attrMap.put(SAML2Constants.DISCOVERY_BOOTSTRAP_CREDENTIALS, new HashSet<>(creds)); <---- *** ISSUE *** (empty)
              }
      
              for (String name : attrMap.keySet()) {
                  Set<String> value = attrMap.get(name);
                  StringBuilder toStore = new StringBuilder();
      
                  // | is defined as the property value delimiter, cf FMSessionProvider#setProperty
                  for (String toAdd : value) {
                      toStore.append(com.sun.identity.shared.StringUtils.getEscapedValue(toAdd))
                              .append(PROPERTY_VALUES_SEPARATOR);
                  }
                  toStore.deleteCharAt(toStore.length() - 1); <---- toStore is 0 LENGTH
                  setUserSessionProperty(name, toStore.toString());
      

      The obvious fix is that

      if (value.size() > 0)  {
                  for (String toAdd : value) {
                      toStore.append(com.sun.identity.shared.StringUtils.getEscapedValue(toAdd))
                              .append(PROPERTY_VALUES_SEPARATOR);
                  }
                  toStore.deleteCharAt(toStore.length() - 1); 
      } 
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: